Patients received an alert from Mercy Health Lorain (Ohio) Hospital, notifying them that their protected health information potentially may have been exposed in a data breach that happened at a revenue cycle management vendor.
According to the alert, RCM Enterprise Services reportedly discovered that it had mailed medical invoices to patients that had incorrect information. The usual practice followed by the vendor includes sending invoices which have names, street addresses, cities, states and zip codes, but inadvertently they sent out invoices which listed names, street addresses, and Social Security numbers.
The breach happened between Aug. 14 and Oct. 16, RCM Enterprise Services reportedly mailed invoices with Social Security numbers to the patients. The company since then has begun alerting hospitals and health systems whose patients may have been affected.
No evidence has so far been found that patients’ Social Security numbers may have been misused. Credit and identity monitoring has been offered by RCM Enterprise Services to the patients, who have also been recommended to review their financial statements.
